Wolf in Sheep’s Clothing | Fake Chrome Extension Theft Analysis
Background
On March 1, 2024, Twitter user @doomxbt reported an unusual activity on their Binance account, suspecting that their funds were stolen.
Initially, this incident did not attract much attention. However, on May 28, 2024, Twitter user @Tree_of_Alpha analyzed the situation and discovered that the victim, @doomxbt, had likely installed a malicious Aggr extension from the Chrome Store, which had many positive reviews (we have not directly verified this with the victim). This extension was capable of stealing all cookies from websites visited by the user, and it was promoted by influencers who were paid to endorse it two months ago.
In recent days, this incident has garnered increased attention. Some victims had their login credentials stolen, and subsequently, hackers used double-spending attacks to steal their cryptocurrency assets. Many users have reached out to the SlowMist Security Team for assistance regarding this issue. We will now provide a detailed analysis of this attack to raise awareness within the crypto community.
Analysis
First, we needed to locate this malicious extension. Although Google has already removed it, we can still view some historical data through snapshots.
After downloading and analyzing the extension, we found that the main JavaScript files were background.js, content.js, jquery-3.6.0.min.js, and jquery-3.5.1.min.js.
During our analysis, we discovered that background.js and content.js contained no complex or suspicious code. However, we found a link to a site in background.js, which sent data collected by the extension to https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
By examining the manifest.json file, we noted that background used /jquery/jquery-3.6.0.min.js and content used /jquery/jquery-3.5.1.min.js. We focused our analysis on these two jQuery files.:
In jquery/jquery-3.6.0.min.js, we discovered malicious code that processed browser cookies into JSON and sent them to https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
After our analysis, we proceeded to install and debug the extension in a clean testing environment (without logging into any accounts) and redirected the malicious site to a controlled one to avoid sending sensitive data to the attackers’ server.
Once the malicious extension was installed, we visited a site like google.com and observed the network requests in the extension’s background. We found that Google’s cookies were being sent to an external server.
We also saw the cookies data being transmitted on our Weblog service.
If attackers obtained users’ authentication credentials and information, they could hijack cookies via the browser extension and perform double-spending attacks on trading websites, stealing users’ crypto assets.
Next, we analyzed the malicious link https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
Domain involved: aggrtrade-extension[.]com
Parsing the domain information:
The .ru domain suggests the attackers are likely Russian or Eastern European hacker groups.
Attack Timeline
Analyzing the fake AGGR (aggr.trade) site aggrtrade-extension[.]com, we found that hackers had been planning this attack for three years:
Four months ago, the hackers began deploying the attack:
According to InMist Threat Intelligence Network, we discovered that the hackers’ IP was located in Moscow, using VPS services from srvape.com, with the email aggrdev@gmail.com.
Once the deployment was successful, hackers started promoting the extension on Twitter, waiting for victims to take the bait. The rest is history; some users installed the malicious extension and were subsequently robbed.
Below is the official warning from AggrTrade:
Conclusion
The SlowMist Security Team reminds users that browser extensions pose risks nearly as significant as running executable files. Always thoroughly review extensions before installation. Be cautious of unsolicited messages, as hackers and scammers often impersonate legitimate projects, targeting content creators under the guise of sponsorship or promotion. In the dark forest of blockchain, maintain a skeptical mindset and ensure everything you install is secure to prevent hackers from exploiting vulnerabilities.
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.
